Hi:
I have read the shiro documents and follow some tutorials.
Now I am interesting with the resources based authentication.
For a standlone application I will use the
subject.isPermitted("resources:action:id")
to make sure if the current user have the authentication.
But in web application shiro provide the filter chains to filter according
to the requested urls.
For example I have a config like this:
*[main]*
* /user/** = role[admin]*
*
*
*
*
*[roles]*
*admin= user:**
And this is the controller:
*@Controller*
*@RequestMapping("/users")*
*class UserController{*
*
*
* //user should have 'user:add' permission *
* public String addForm(){/....}*
* *
*
*
* //user should have 'user:add' permission *
* public String addUser(){.........}*
*
*
*
*
* //user should have 'user:delete' permission *
* public String deleteUser(){.........}*
*}*
Normally, I will check if the user have the permission inside the methods
of the UserController, Now if I add the filter chains, does it mean that
when these methods are invoked, the user in the current session must have
the role of `admin`? I do not have to check the permission here?
